All organisations operating in the EU (or handling personal data on people residing in the EU) are aware that the 25th of May, 2018 is GDPR D-Day. They’re also aware of the consequences that can come as a result of non-compliance—fines as large as €20 million, or four percent of global annual turnover.
And it seems that a day doesn’t go by without a GDPR story making headlines, filling organisations with fear, uncertainty, and doubt. Not only are there a multitude of data rules that businesses must follow and adhere to, but GDPR is a complex regulation, with confusing language. Without understanding the basics, it could be easy to make a mistake.
Ultimately, GDPR readiness comes down to the company, and every single business, regardless of size, is responsible for its own compliance. But while there has been plenty of GDPR advice for large companies, many small to medium businesses (SMEs) are being left behind—even though failure to comply could cripple their entire business.
So what should SMEs be doing to help ensure they are embracing GDPR readiness? Do they need to take a different approach to larger companies? And how can they make sure they avoid the hefty fines?
The requirements
There are a number of terms found throughout the text of the GDPR, and it’s important that SMEs fully understand these. While terms include ‘data subjects’, ‘directives’ and ‘authorities’, one very important term to understand is ‘enterprise’.
Many SMEs may make the mistake of believing that GDPR has no impact on them. But in the context of GDPR, the term enterprise is used to describe any entity engaged in economic activity. This broad definition includes everything from sole proprietors to giant multinational corporations—which means small businesses and individuals must comply with the GDPR rules.
GDPR isn’t just a law for large companies with big budgets. It applies to all, so no matter how small the business, it’s crucial to take notice.
Going back to basics
All businesses must appropriately protect personal data, and they must be aware of user rights. For small businesses, knowledge is key, and taking the appropriate basic actions is a recommended best practice.
Small businesses therefore need to understand what GDPR means for them. GDPR will affect most in some way, so they need to assess how much it affects them and act accordingly.
Answering the following questions may help SMEs in their readiness efforts:
- Do you collect personal data?
- Why are you collecting such personal data, where is it processed, and how is this personal data used?
- Is this data appropriately protected and is it only processed while it is needed?
- Do you share or market with this data? If so, do the people processing the data on your behalf have sufficient protective measures in place?
- Are you legally processing data? Are you relying on explicit consent for the legal basis for such transfers?
Question five is actually a very important question—especially when it comes to understanding explicit consent. GDPR contains very specific requirements for consent—it must be freely given, specific, and informed. Additionally, GDPR requires that a data subject review a statement and signify via explicit action their agreement to the collection, processing, storage or transmission of that subject’s personal data. Which means if a business is going to rely upon explicit consent to legally transfer personal data, the law requires that businesses, regardless of size, obtain explicit consent for the collection, processing, storage, and transmission of data subjects’ personal data.
A matter of scale
Most businesses have employees and customers and therefore have access to some level of personal data. This means that even though a business may be relatively small in size, the data infrastructure they serve may be quite large.
For example, if you are a small business that focuses on consumer marketing, although you may have a small number of employees, you will have plenty of personal data on consumers. GDPR requires you to be able to honor data subject requests, which include the right to forget these consumers on request, modify their information, and appropriately protect any information you have. For small businesses that don’t process personal data of customers, they may only need to worry about employee data. The purpose, protection, and retention of personal data are all important when we think about GDPR.
Another important factor to consider is if SMEs are providing their services to larger companies. If this is the case, these smaller businesses need to ensure they are prepared—and must have the appropriate privacy, security and GDPR statements in place.
Getting GDPR ready
Most small businesses will have customers or employees that reside in the EU, and under GDPR, these people have data rights that must be protected and managed appropriately. At a time when cybercrime is at an all-time high, all businesses need to ensure they are compliant with data regulations like GDPR.
It’s crucial that small businesses don’t get into the mindset that they are not impacted by GDPR—every single business, regardless of size, must comply. If they don’t, the consequences could mean the end of their entire business.
For SMEs, the law isn’t as daunting at it seems. By having a clear understanding of the data held, and what is happening with that data, they will be well on the road to GDPR readiness.
By Tim Brown, VP Security Architecture, SolarWinds MSP
The largest data protection, privacy and security event of 2020, now available on-demand!
Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.
You can access the content from all four days, by registering for access to our PrivSec Global platform below.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.